• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 624
  • Last Modified:

no desktop after removal of malware/viruses

I just cleaned a computer of over 100 malware/viruses, and on reboot, the background picture comes up, and I can see the arrow from the mouse. But no icons, no taskbar, nothing else at all. the windows key does nothing. Ctrl-Alt-Del will bring up the task manager, what can I do/run?
thanks.
0
yellow1053
Asked:
yellow1053
  • 6
  • 6
  • 2
  • +3
1 Solution
 
sjklein42Commented:
Try this first:

1.Right-click the desktop.
2.Point to Arrange Icons By.
3.Click Show Desktop Icons.

0
 
sjklein42Commented:
If that doesn't work, then from within the Task Manager, try running "Explorer".
0
 
yellow1053Author Commented:
right click and left click do nothing. arrow never turns to an hourglass either. thanks though.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
yellow1053Author Commented:
Actually I had tried to manually start explorer but get the following error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
:(
0
 
yellow1053Author Commented:
oh, and by the way, the same results when in safe mode too. (just no background picture, just black screen).
0
 
sjklein42Commented:
The virus has apparently blocked the execution of explorer.exe.

Here's a suggestion of how to create a copy of explorer.exe with a different name "explore.exe".  This should bypass the block.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/123561

1. hit ctrl+alt+delete
2. New task, browse C:\windows.
3. Copy explorer.exe and paste it in C:\windows.  It will be called "copy of Explorer.exe".  Rename it explore.exe
4. Open regedit in C:\windows.
5. Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
6. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe write C:\windows\explore.exe (the new one you just pasted)
7. hit ctrl+alt+delete.
8.newtask, browse C:\windows\explore.exe.
0
 
ckivmlCommented:
Did you try to boot in Safemode if not Please boot your windows in Safemode..

Press F8 and select safe mode

and see how it works
0
 
nobusCommented:
0
 
phototropicCommented:
There is a full and complete explanation of how to fix this problem in the following ee article:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6209-Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files.html?sfQueryTermInfo=1+30+desktop+icon+miss

To quote rpggamergirl:

"...These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it..."

Have you cleared your temp file cache since removing the malware?

0
 
yellow1053Author Commented:
sjklein42: I get the following error when trying to copy explorer: "Error copying file or folder Cannot copy explorer, access is denied"

ckivml: I did as noted above also try in Safe mode, but have the same results.

Nobus: sysu.exe and ddm_d.exe are not running in the processes. and explorer.exe does not have the hidden attribute set.

phototropic: I did not clear temp files, as I cannot access the desktop or anything since removing the viruses/malware. However, I copied and ran restoresm.zip, but same results on reboot. :(
0
 
sjklein42Commented:
There are several ways the virus can disable access to explorer.exe.  This is the first place I'd check:

http://www.technipages.com/prevent-users-from-running-certain-programs.html

1. Click START>RUN and type GPEDIT.MSC

2. The Group Policy Editor appears.
Click on the plus sign next to User Configuration
then Administrative Templates
then System
and double-click the policy Don’t run specified Windows applications

3.  It should say "Not Configured".  If it says "Enabled", then click the "Show..." button to see if Explorer.exe has been blocked.
0
 
younghvCommented:
The 'rpg' Article suggested by phototropic at http:#a36578783 is time-tested and has been used by many EE Members since it was published.

Please take a look (as suggested above) and walk through the steps provided:

http://www.experts-exchange.com/A_6209.html 
Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files
0
 
sjklein42Commented:
The virus may have blocked access to Explorer.exe by setting Special Permissions on it:

http://support.microsoft.com/kb/308419

At this point, I would load a good copy of Explorer.exe from another XP machine onto a USB drive, change its name to Explore.exe, and run it on the wounded machine directly from the USB drive.  At least then you will have a shell to work in.  Then check the Permissions on the Explorer.exe that is on your hard drive.

Note that you will need to (temporarily at least) disable Simple File Sharing in order to see the Security tab in the File Properties window.
0
 
yellow1053Author Commented:
sjklein42:  everything went as you said until I clicked on system and your next step "double-click the policy Don’t run specified Windows applications" can't be done as there is NO policy stating "don't run specified windows applications"

younghv: as I stated above, I did all that with no results. (I actually ran command first, and then ran it, so I could see what it was doing, and for all four files the result was 0 files copied. that temp directory doesn't exist.)

sjklein42: Ok! we may be on to something here!!! I did as you suggested and ran from a usb a good copy of explore, and was able to check permissions, (here's where it gets interesting!) I have TWO explorer files there! one is the normal exe file and it's permissions allow for one group "everyone" and is set to Full control. but then there is an explorer.scf file whose permissions are many. there are four groups Administrators, power users, system, and users. Admin and system allow for full control. But power users and users only allow for read and execute, and read.
Could this be the source of my problems??
0
 
sjklein42Commented:
The .scf file is a shortcut and does not explain why Explorer.exe cannot be accessed.

For now, you can workaround the blocked Explorer.exe and should be able to boot normally after making this change:

- Copy the functional Explore.exe from the USB drive to your c:\Windows folder
- run regedit
-  Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
-. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe, replace with C:\windows\explore.exe (the new file you just copied there)
0
 
yellow1053Author Commented:
Thanks alot everyone!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 6
  • 6
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now